Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Hackers claim stolen Lockheed Martin data shared with IRGC, threaten defense giant’s engineers

An F-35A Lightning II takes off from an undisclosed location in support of Operation Epic Fury on March 2, 2026. (U.S. Air Force photo)

By Bridget Johnson

The pro-Iran hacking group that claimed to have swiped a large volume of data from Lockheed Martin hiked their ransom demand even while saying they already shared sensitive information with the IRGC, as the hackers who hit a U.S. med-tech firm said they are now targeting specific Lockheed engineers working in Israel.

On Monday, APT IRAN demanded “about $400 million” from the United States — “the cost of building four F-35 fighters” — in ransom for 375 terabytes of sensitive information “including technical documentation from active military projects, confidential contracts, high-level personnel information and sensitive administrative emails.”

APT IRAN, which is closely linked to CyberAv3ngers and has previously focused on operational technology targets, detailed at the beginning of the war an attack aimed at manipulating agricultural sector control systems in an incident the Jordanian government said was intended to destroy a strategic wheat stockpile. The group also claimed to have breached Jordan’s Bank al Etihad as well as “the management systems of the solar project in the Aqaba Special Economic Zone.”

In a Telegram post, the group described the allegedly stolen Lockheed Martin data as “technical drawings and source codes” and “architectural documents for future missile defense systems,” along with internal emails from research teams and other unnamed items. APT IRAN also posted its statement in Chinese and Russian and claimed that a data sample to enforce their claim would be “coming soon.”

On Sunday, the group released an email purported to be from a senior official at the company, along with a video showing access to the alleged inbox.

“We are currently receiving numerous requests from China, Russia, and Arab countries to sell this information to them, and some of them are even willing to pay for sample data, which is great,” APT IRAN said in a Telegram post Monday. “The interesting thing is that Trump’s allies are looking to buy this information from us at a very high price.”

Lockheed Martin said it was aware of the claim and has “policies and procedures in place to mitigate cyber threats to our business,” adding that the company remains “confident in the integrity of our robust, multilayered information systems and data security.”

Today, after the 48-hour deadline set by the alleged hackers had passed without payment from the defense giant, APT IRAN announced that the price had jumped to $600 million and claimed it could go as high as $1 billion.

“This decision is in line with the full coverage of the advanced infrastructure currently being implemented to manage Threat Market’s big data,” the group said, posting an Onion link where they said “this massive dataset will be uploaded.” Threat Market, a Russian-language underground data site, acknowledged in English on their Telegram channel that APT IRAN “asked us to provide the necessary infrastructure to sell Lockheed Martin information,” adding that “our old friends have been asked for help and we are helping them.”

“Also, due to threats from this company or its affiliates or supporters of the United States, the CyberAv3ngers Telegram channel has been relaunched,” APT IRAN announced, adding, “The butterfly should not get too close to the candle.”

CyberAv3ngers is an Iranian cyber actor affiliated with the Islamic Revolutionary Guard Corps that has claimed multiple critical infrastructure attacks in the past several years, primarily against the energy and water sectors in the United Staes, Israel and elsewhere. A Telegram channel under the group’s name was created Wednesday.

In a Q&A posted to their Telegram channel today, APT IRAN claimed that they shared Lockheed data with the IRGC for free, “but this information is not only going to be available to the Iranians. We have many customers in China and Russia.” The hackers added that $600 million from Lockheed Martin only “might be able to provide this guarantee so that the information will only be in Iran’s hands and not sold to China, Russia, etc.”

Threat Market’s post claimed that “the volume of data extracted from Lockheed is very high” and “we were lost in a huge mountain of data.”

“The APT IRAN group asked for direct access to our admin panel and we gave them this access,” Threat Market added. “We will also put this money into the mixer and separate our percentage from the sales and mixers. Apparently this group intends to crush Lockheed and we will help this group too.”

The Iranian hacking group Handala, which vowed “the destruction of your infrastructure” shortly after the first U.S.-Israeli strikes on Iranian targets and wiper attacked U.S. medical tech company Stryker, claimed in a Wednesday post on Telegram that it had also targeted Lockheed Martin employees.

“The manufacturer of the F-35, F-22, THAAD missile defense system, and advanced electronic warfare systems could not even protect its own identity,” Handala said. “You will see tomorrow.”

In a corresponding website post, Handala issued a 48-hour response time for the “new phase of Operation Lockheed Martin,” claiming that they had “the complete data of 28 senior engineers based in the occupied territories and involved in military projects” including names, home addresses and service bases. They released a list of names and locations as well as some passport images.

“In recent hours, we have established contact with some of them to demonstrate just how fragile digital barriers can be,” Handala continued. “From conversations about their daily interests to ordinary details of their lives, all was done to show that ‘privacy’ is merely a word in a book, not a reality.”

They posted an image of text message, obscuring the phone number except for the +972 Israel country code, in which the recipient was told that their “credentials as a Senior Engineer at Lockheed Martin have just been broadcast on Iranian television.”

“You have 48 hours to return home, after that, keep your eyes on the sky,” the message added.

Click to listen highlighted text!